I think that eap2vp, vp2eap function in peap.c should be modified as follows ===================================================================================================== static VALUE_PAIR *eap2vp(EAP_DS *eap_ds, const uint8_t *data, unsigned int data_len) { uint16_t eap_len, len, total; VALUE_PAIR *vp = NULL; VALUE_PAIR *eap_msg = NULL; const unsigned char *ptr = NULL; int first = 1; /* * Sanity check this... */ if (data_len + EAP_HEADER_LEN > 65534) { radlog(L_ERR, "rlm_eap_peap: EAP Response packet is too large."); return NULL; } len = eap_len = total = EAP_HEADER_LEN + data_len; do { if (eap_len > 253) { len = 253; eap_len -= 253; } else { len = eap_len; eap_len = 0; } /* * create a value pair & append it to the packet list * This memory gets freed up when packet is freed up */ eap_msg = paircreate(PW_EAP_MESSAGE, PW_TYPE_OCTETS); if (first) { eap_msg->strvalue[0] = PW_EAP_RESPONSE; eap_msg->strvalue[1] = eap_ds->response->id; total = htons (total); memcpy(&eap_msg->strvalue[2], &total, sizeof(uint16_t)); ptr = data; memcpy(&eap_msg->strvalue[4], ptr, len - 4); ptr = ptr + len - 4; first = 0; } else { memcpy(eap_msg->strvalue, ptr, len); eap_msg->length = len; ptr += len; } pairadd(&vp, eap_msg); eap_msg = NULL; } while (eap_len); return vp; } static int vp2eap(tls_session_t *tls_session, VALUE_PAIR *vp) { VALUE_PAIR *first, *vps; uint16_t len; int total_len; /* * Get only EAP-Message attribute list */ first = pairfind(vp, PW_EAP_MESSAGE); if (first == NULL) { radlog(L_ERR, "vp2eap: EAP-Message not found"); return 0; } /* * Sanity check the length before doing anything. */ if (first->length < 4) { radlog(L_ERR, "vp2eap: EAP packet is too short."); return 0; } /* * Get the Actual length from the EAP packet * First EAP-Message contains the EAP packet header */ memcpy(&len, first->strvalue + 2, sizeof(len)); len = ntohs(len); /* * Take out even more weird things. */ if (len < 4) { radlog(L_ERR, "vp2eap: EAP packet has invalid length."); return 0; } /* * Sanity check the length, BEFORE malloc'ing memory. */ total_len = 0; for (vps = first; vps; vps = pairfind(vps->next, PW_EAP_MESSAGE)) { total_len += vps->length; if (total_len > len) { radlog(L_ERR, "vp2eap: Malformed EAP packet." " Length in packet header does not match actual length"); return 0; } } /* * If the length is SMALLER, die, too. */ if (total_len < len) { radlog(L_ERR, "vp2eap: Malformed EAP packet. " " Length in packet header does not match actual length"); return 0; } /* RADIUS ensures order of attrs, so just concatenate all */ for (vps = first; vps; vps = pairfind(vps->next, PW_EAP_MESSAGE)) { if (vps == first) record_plus(&tls_session->clean_in, vps->strvalue + EAP_HEADER_LEN, vps->length - EAP_HEADER_LEN); else record_plus(&tls_session->clean_in, vps->strvalue, vps->length); } tls_handshake_send(tls_session); record_init(&tls_session->clean_in); return 1; } ===================================================== 시큐아이닷컴(주) 서울시 서초구 양재동 261-8 우제빌딩 5층 유넷사업부 애니클릭팀 IA 파트장 양 승 용 Tel. 02-390-8077 Fax. 02)390-8099 Hp. 016-383-6558 Email. joshua.yang@samsung.com =====================================================
participants (1)
-
양승용